The Expert View: Operational resilience in the finance sector

Expectations in operational resilience have changed, said Duncan Bradley of Kyndryl, introducing a TEISS Breakfast Briefing at the Langham Hotel in London. He told an audience of senior executives from the financial services sector that impact tolerance that might once have been measured in days is now measured in hours or minutes.

Add to that the increased complexity of modern IT estates and the introduction of new regulations and you have a significant challenge that should be a key agenda item for financial services companies. However, many attendees said that they found it difficult to get the internal support they need. That must change, they said, because the challenges are not going to get easier.

Regulatory compliance

One reason why operational resilience must become a greater priority is the arrival of stricter regulations. In March 2022, the FCA introduced regulations requiring financial services companies to demonstrate their resilience. Businesses must be able to show that they understand where the gaps are and how to fix them.

Attendees agreed that this has focused more attention on operational resilience, though perhaps not enough. They argued that companies are still focused on the internal implications of resilience, while the regulatory focus is on the consequences for customers. Fixing this disconnect will be an important part of compliance in the coming years, as regulations tighten further.

This can be done with better planning. Most attendees felt organisations were still only acting after a crisis, rather than planning for one. One attendee with experience in disaster recovery said these situations were usually resolved “with a chequebook and a good supplier relationship” rather than specific planning, which isn’t a long-term solution.

Assessing risk

To plan for the long term, organisations need to gain a better understanding of their estate. Several attendees mentioned that this is a task that recurs with frustrating regularity. Organisations audit their assets, develop an understanding of how everything is connected and what the processes are, and then allow that understanding to lapse and become outdated as the estate expands and changes.

This has been complicated by the move to the cloud and the growing number of third-party suppliers. Auditing your estate now means assessing third-party risks and dependencies. This is easier in some cases than others. Some attendees said that auditing major cloud suppliers is incredibly difficult. And the whole process is time-consuming for everyone. One attendee suggested that it might be better for this auditing to happen at sector level, where it could be done once, and the results shared with all customers.

Fortunately, there are software tools that can help map the organisation, identifying and quantifying risk, and these can also assess third parties – though the extent of that depends on how much co-operation suppliers can provide. The resulting data can be used to build a digital twin – a virtual replica of the organisation’s processes where risk can be tested without affecting live operations.

Nobody at the briefing was using digital twin technology yet, though some said they are exploring it. Bradley said that only around half of Kyndryl’s top customers had adopted digital twins so far.

Building support

Getting the resources needed to manage resilience properly depends on internal support, which can be a challenge. For example, some attendees said that product managers will often prioritise investment in new features over resilience, because new features are more likely to help them achieve their goals.

A similar issue makes it harder to get the board to support resilience efforts, attendees said. Although regulations say that responsibility for resilience sits at board level, board members are “ostriches”, said one attendee. Their heads are buried in the sand because they don’t want to face the issue. Their bonuses are not tied to resilience and nothing in their business training has prepared them for it.

Attendees said there needs to be more pressure on board members to drive resilience, perhaps through regulators holding individuals accountable and for those who breach regulations to forfeit bonuses. There are some signs of change in other jurisdictions. In the US, the SEC has announced plans to require one member of the board to have cyber-resiliency expertise, while the Central Bank of Ireland has similar rules.

Perhaps the most important thing, attendees argued, is that resilience is not a task that can be finished. It is an ongoing spend that organisations will have to accommodate. It seems that many organisations are only beginning to understand that.

Kyndryl works at the core of businesses that move the world. With more than 90,000 skilled professionals serving customers in over 60 countries, we design, build, manage and modernize the mission-critical technology systems that the world depends on every day. To learn more, visit www.kyndryl.com